Bruce A. Radke and Michael J. Waters, Vedder Price Shareholders and members of the firm's Records Management, eDiscovery and Data Privacy practice group, were recently quoted in the Law360 article "Retailers Take Brunt Of Breach Liability Under New Bills."

While citing specific legislation recently introduced in California and Minnesota, the article proposes that both state and federal lawmakers are moving to tighten breach notification standards, impose enhanced requirements on how retailers secure consumer data and respond to breaches, and shift liability for data breaches onto retailers.

Mr. Radke, Chair of the firm's Records Management, eDiscovery and Data Privacy practice group was quoted saying that "[c]ertainly, there is a trend for more [requirements on retailers to secure consumer data], as opposed to less." He added that ". . . [t]he new laws being proposed raise the issue of data security from a nice-to-have to a must-have."

In the article, Mr. Waters commented that "[f]ormal data privacy and security regulations exist for the financial industry and the securit[ies] area[s], but there are not industry-specific regulations for the retail area . . . . Because of this, some legislators have determined . . . this is an area [that] could use some additional oversight." Mr. Waters stated that it may be unfair to automatically hold retailers liable for every breach they may experience, since often there are third-party venders involved that may ultimately be responsible, and in some circumstances retailers may have done everything they could to prevent the data security breach, but due to the sophistication of hackers, they suffered a breach anyway. Mr. Waters also pointed out that if states begin enacting statutory damages, it may be easier for class actions to go forward since the courts have said a fear that plaintiffs have suffered identity theft is typically not enough to sustain their claims.

To read the complete article, click here (login credentials may be required).